CVE-2026-41008

Vulnerability

Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. This allows an attacker to craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri. Affected versions include Spring Security 7.0.0 through 7.0.5 and Spring Authorization Server 1.5.0 through 1.5.7 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious authorization request. This request would contain an invalid request_uri parameter along with an arbitrary redirect_uri. The insufficient validation allows the attacker's provided redirect_uri to be used, leading to the redirection.

Impact

Successful exploitation of this vulnerability can lead to an Open Redirect. This means an attacker can redirect users to an arbitrary external website, potentially for phishing attacks or to host malicious content, by manipulating the redirect_uri parameter [1].

Mitigation

Users of affected versions should upgrade to Spring Security 7.0.6 or later, and Spring Authorization Server 1.5.8 or later. These fixed versions address the vulnerability. No workarounds are mentioned in the available references [1].